Computer is Win 7 Home Edition 64-bitKaspersky finds that c:\windows\system32\consrv.dll is infected with HEUR:Backdoor.Win64.Generic virus. I have updated Kaspersky, run scans in normal and SAFE mode but virus is not fixed. Continuously get the Kaspersky message about this virus and while I've run the special disinfection procedure numerous times as will as the second option the virus remains.I've included the GetSystemInfo zip file.What recommendations do you have?Thanks,Charlie

Welcome. Please post the full, complete detection details. Post screenshot of Reports > Detailed Report > Detected threats. Right click the Detected bar, and select Path. Right click the Detected bar again and select File. Then post the screenshot with columns widened to show full detected and name and object and path/location details.

How to take and post screenshot: PrtSc (Print screen) key (upper right part of keyboard)> open Paint (Start > All programs > Accessories) > Edit > Paste, File > Save as (jpeg or png, Not bmp). When replying, Browse > click once to select file > Open > Upload > add reply.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the Combofix file you downloaded. Follow the onscreen prompts to start the scan.Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

--------------------The instructions posted here are for the original poster Only. If you have same or other issue, please see the first Important read me topic, and then open a New Topic for yourself.

--------------------

Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.

>Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

Apparently ComboFix has changed as to where they save the log files and the names of the files. Therefore I've attached the file that was displayed as well as a second file that was saved upon the completion of running ComboFix.

Thanks again for helping me. Please let me know what else you need for me to do.Charlie

Thank you for the link, and you're welcome. Also, scan with Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php Update it first, scan and attach its log, but Please Don't remove anything yet, until the log is reviewed.

--------------------

Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.

You are infected with a new version of sirefef/zeroaccess.Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service". I had also a new version of zeroaccess and this service was the "secondary" launcher of the virus.If the service is not there, you can do a registry scan with RegScanner and find what services were created around the date you've found that you're infected

Alternatively, you can scan consrv.dll on VirusTotal and find what antivirus program is detecting corectly your version of zeroaccess and try an online scan with that antivirus solution.

edit: del VT link, and del link to disinfection topic on other forum. and preface with Also,

I tried to inform the viruslab. But when I click Upload the search does not locate the infected file. Windows Explorer shows the file.I tried zipping the file and I am told the file doesn't exist.How am I going to be able to get the file to the viruslab?The file is c:\windows\system32\consrv.dll.

May I add that early in the process of dealing with this situation I booted to SAFE mode command line (prompt). I found the file and was able to rename it. Kaspersky put the 'renamed' file into storage when I rebooted and ran Kaspersky scan; but I don't know how to send it to the lab from storage. I had thought that fixed my problem but shortly afterward the file reappeared.

I could try renaming it and see if the 'Upload' will find the renamed file.

Go to Control panel/services/administrative tools/services and look for the following service : "Safety Settings Service".

Did not find that service.

and find what services were created around the date you've found that you're infected

The date of the file 7/13/2009 has 10000 items listed when I run the registry scan for that date. Now I don't know when the problem actually started as the computer is used by one of my employees. She has complained for at least a month that the computer has been 'acting up'. But the file that Kaspersky is saying is infected (consrv.dll) is dated 7/13/09.

"https://www.virustotal.com/"]VirusTotalUnfortunately the Upload (file browsing) doesn't find the file; just like above when I tried to upload the file to the viruslab.

The date 7/13/2009 is not the date of the infection, it's a fake date created by the virus so a newbie would belive that is a legit file (the date is almost similar to many of win7 64bit system files).To reveal the consrv.dll try this : go to Control Panel/folderOptions/view/ and make shure "Show hidden files, folders and drives" radio is selected and the checkbox "Hide protected operating system files" is unchecked. Click "Apply" and go to windows/system32 and look for consrv.dll. If you can find it, scan it at VirusTotal or send it at kaspersky viruslab.